The present disclosure generally relates to mobile authentication techniques. The disclosed embodiments relate more specifically to a system, apparatus, method, and computer program product for providing security and convenience in mobile authentication.
As society becomes more mobile and fast-paced, the use of currency (e.g., cash) increasingly is being replaced with electronic transactions using credit cards, debit cards, electronic checks, and automatic teller machines (ATMs). To further hasten such transactions, the Merchant Service Providers (MSPs) that provide transaction processing solutions to merchants often pre-arrange with those merchants to accept credit card and debit card transactions up to a certain dollar amount without requiring a customer to sign a receipt. Also known as Quick Sale Retail (QSR) transactions, such transactions benefit both the customer and the merchant—the customer is not bothered with signing the receipt and the merchant can move customers more quickly through a check-out line.
Despite the conveniences provided by QSR transactions, credit cards and debit cards have certain security vulnerabilities. In order to complete a card-based transaction, a user must provide a primary account number (PAN) and a verification value, sometimes referred to as a Card Verification Value (CVV or CV2), Card Verification Code (CVC), or Card Security Code (CSC). The PAN a fifteen-digit or sixteen-digit series of human-readable characters that is embossed on the front of the card and generally is used to identify a particular customer. And credit cards and debit cards typically are provided with two verification values: 1) a first verification value encoded into the magnetic stripe (“magstripe”) on the card and 2) a second verification value printed on the front or back of the card, typically as a three-digit or four-digit series of human-readable characters.
The first verification value generally is used to conduct “card present” transactions in which the user presents the card in person so the first verification value can be read directly from magstripe by a card reader (e.g., point of sale (POS) transactions). And the PAN and second verification code generally are used to verify that a customer has the card in his/her possession during “card not present” transactions in which the first verification value cannot be read directly from magstripe (e.g., an Internet transaction, a telephone transaction, etc.). Thus, either the first verification value or the PAN in combination with the second verification generally are used to ensure that only authorized users conduct transactions with a credit card or debit card.
The security of the PAN, the first verification value, and the second verification value can be compromised in a number of ways, which is compounded by the static nature of that account information. To combat such security risks, consortiums have developed global standards for credit card and debit card payments based on chip card technology. For example, the EuroPay, MasterCard, and Visa (EMV) consortium has defined a standardized smart card that works with standardized smart card readers, cryptograms, etc. Smart cards are credit-card sized cards that contain a microprocessor and memory. EMV's smart cards use symmetric key cryptography for signature and authentication, wherein a provisioning server and an authenticating server each have a copy of a Triple Data Encryption Standard (Triple-DES) Master Derivation Key (MDK) in hardware. And when a particular user is identified by his/her PAN, the provisioning server applies the MDK to the PAN and generates two symmetric DES keys (e.g., a Unique DEA Key A (UDKA) and a Unique DEA Key B (UDKB)), which go into the smart card for that user. At present, it is widely believed that DES keys are best stored by physically isolating them in the smart card's hardware (e.g., written them onto the Chipcard's memory).
When conducting a transaction with a smart card, a user may be required to enter a personal identification number (PIN) and/or a one-time passcode (OTP) to access the DES keys in that user's smart card. The smart card's microprocessor then uses that authentication information and a random number to generate a cryptogram, called an Authorization Request Cryptogram (ARQC), which it digitally “signs” with the two DES keys. That authentication information is sent to the authenticating server where it is used to recreate the cryptogram and, if it matches the ARQC from the smart card and the OTP entered by the user (if an OTP is required), the purchase is approved and an application transaction counter (ATC) is incremented on both the smart card and the authentication server.
An ATC on the smart card and an ATC on the authentication server are incremented each time a transaction is completed to ensure that a fresh OTP is provided (if an OTP is required) and to guard against certain types of attacks, such as a replay attack. If the ATC on the smart card and an ATC on the authentication server get out of synch, the smart card and/or card reader will be locked until the client ATC and server ATC are resynchronized. The smart card also may be locked if a user enters the wrong PIN a predetermined number of times in a row. Unlocking the smart card may require contacting the card provider or entering a pin unblock key (PUK). Unlocking the smart card may even require reissuance of the smart card.